CSR1000v HA Redundancy Deployment Guide on Microsoft Azure with AzureCLI 2.0 Contents Introduction Prerequisites Requirements Components Used Goal Topology Network Diagram Terminology Restrictions Configuration Overview Step 1. Install AzureCLI 2.0. Step 2. Create a Resource Group. Step 3. Create a Vnet. Step 4. Create Route Tables. Step 5. Create Subnets. Step 6. Create a CSR1000v router. Step 7. Create the second CSR1000v router. Step 8. Create a host VM with the same procedure in step 6. This example uses UbuntuLTS. Step 9. Add routes to routing tables and VMs. Step 10. Configure the CSR1000v routers. Verify High Availability Troubleshoot Related Information Introduction This document provides a step by step configuration guide on how to deploy CSR1000v routers for High Availability in the Microsoft Azure cloud with AzureCLI 2.0. It is aimed to give users practical knowledge of HA and the ability to deploy a fully functional testbed. There are various methods to deploy images on Azure and the most familiar method for most users is through the web portal. However, AzureCLI is a quick and powerful tool once you are familiar with it. For more in-depth background about Azure, how to deploy a CSR1000v through the web portal, and HA, refer to the Cisco CSR 1000v Deployment Guide for Microsoft Azure and Related Information section.
27
Embed
CSR1000v HA Redundancy Deployment Guide on Microsoft Azure … · A Microsoft Azure account 2 CSR1000v and 1 Windows/Linux Virtual Machine AzureCLI 2.0 Components Used The information
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
CSR1000v HA Redundancy DeploymentGuide on Microsoft Azure with AzureCLI 2.0 Contents
IntroductionPrerequisitesRequirementsComponents UsedGoalTopologyNetwork DiagramTerminologyRestrictionsConfigurationOverviewStep 1. Install AzureCLI 2.0.Step 2. Create a Resource Group.Step 3. Create a Vnet.Step 4. Create Route Tables.Step 5. Create Subnets.Step 6. Create a CSR1000v router. Step 7. Create the second CSR1000v router.Step 8. Create a host VM with the same procedure in step 6. This example uses UbuntuLTS.Step 9. Add routes to routing tables and VMs.Step 10. Configure the CSR1000v routers.Verify High AvailabilityTroubleshootRelated Information
Introduction
This document provides a step by step configuration guide on how to deploy CSR1000v routersfor High Availability in the Microsoft Azure cloud with AzureCLI 2.0. It is aimed to give userspractical knowledge of HA and the ability to deploy a fully functional testbed.
There are various methods to deploy images on Azure and the most familiar method for mostusers is through the web portal. However, AzureCLI is a quick and powerful tool once you arefamiliar with it.
For more in-depth background about Azure, how to deploy a CSR1000v through the webportal, and HA, refer to the Cisco CSR 1000v Deployment Guide for Microsoft Azure and RelatedInformation section.
Cisco recommends that you have knowledge of these topics:
A Microsoft Azure account●
2 CSR1000v and 1 Windows/Linux Virtual Machine●
AzureCLI 2.0●
Components Used
The information in this document is based on Cisco IOS-XE® Denali 16.7.1
The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.
Goal
Deploy 2 CSR1000v routers and 1 VM (windows/linux). Simulate continuous traffic from theprivate datacenter (VM) to the internet (8.8.8.8). Simulate an HA failover and observe that HA hassucceeded by confirming that the Azure routing table has switched traffic from CSR-A to CSR-B'sprivate interface.
Topology
In order to fully understand the topology and design is important before the start of configuration.This helps to troubleshoot any potential issues later on.
There can be various scenarios of HA deployments based on the user's requirements. For thisexample, configure HA redundancy with these settings:
1x - Region (South Central US)●
1x - Resource Group (CorporateDatacenterResourceGroup)●
For now, internet access through the public interface is left enabled on the VM so that you canaccess and configure it. Generally, all normal traffic should flow through the private route table.The public interface on the VM can be later disabled so that no traffic is accidentally leaked.
Traffic simulation is performed by pinging from the VM's private interface inside route table CSRA 8.8.8.8. In a failover scenario, observe the private route table has switched the route to point toCSRB's private interface.
Network Diagram
Terminology
Resource Group - This is a way for Azure to keep track of all of your resources like virtual●
machines and vnets. This is usually used to manage all the items and to keep track ofcharges. Vnet - A virtual network.(similar to VPC in aws terminology)●
Route Table - This contains the rules for a subnet and can forward specific traffic to an ipaddress or act like a VPN endpoint.
●
Restrictions
Azure itself may introduce roughly a 40-50 second delay in an HA failover.●
Configuration
There are a few methods to deploy VM's on Azure:
Web Portal - HA documentation on cisco.com1.Powershell - Command line based model for managing Azure resources.2.AzureCLI 2.0 - Also command line based. It is open source and written in python and needsto be installed on your local system. In order to write this document, AzureCLI 2.0 is thelatest version.
3.
Azure Cloud Shell - Choose the Bash shell option instead of the Powershell option to useAzureCLI through the shell. No installation is necessary for this method.
4.
Powershell and AzureCLI are similar but the commands for AzureCLI are more straightforward. Both can run on Windows, MacOS, Linux. Refer to Choosing the right tooling for Azure and sideby side Azure CLI and PowerShell commands for a comparison.
For this example, deploy all resources with either AzureCLI or Cloud Shell. AzureCLI can beinstalled on MacOS, Windows or Linux with slightly different steps. There is no difference inconfiguration through the rest of the procedure between AzureCLI and Azure Cloud Shell.
You are retrieving all the images from server which could take more than a minute. To shorten
the wait, provide '--publisher', '--offer' or '--sku'. Partial name search is supported.
Refer to Microsoft's Azure CLI 2.0 documentation for detailed information on all configurationcommands.
●
Step 2. Create a Resource Group.
A Resource Group is a container that holds related resources for an Azure solution. Give aname to your Resource Group and pick a location to deploy the container. This example usesSouth Central US.
A Vnet is a space of ip addresses where our network is deployed. This range is then split intosmaller subnets and assigned to interfaces. Give a name to your vnet, assign it into the
Create a /24 subnet from the space you assigned for the vnet in step 3, then assign it to theInside Route Table.$ az network vnet subnet create --address-prefix 192.168.1.0/24 --name InsideSubnet --
Create another /24 subnet from the space you assigned for the vnet and assign it tothe Outside Route Table.$ az network vnet subnet create --address-prefix 192.168.2.0/24 --name OutsideSubnet --
List the available CSR1000v images on Azure. This example uses the urn name ofcisco:cisco-csr-1000v:16_7:16.7.120171201.az vm image list --all --publisher Cisco --offer cisco-csr-1000v
Deploy the second CSR1000v with the same image cisco:cisco-csr-1000v:16_7:16.7.120171201. $ az vm create --resource-group CorporateDatacenterResourceGroup --name CSRB --location
Create the Outside NIC and associate the OutsideSubnet and the public IP address to it. When subnets are associated with NICs, an IP address is automatically assigned to the NIC.In this example, the OutsideSubnet is 192.168.2.0/24 and the IP address automaticallyassigned to the NIC is 192.168.2.6.$ az network nic create --name VMHostOutsideInterface --resource-group
Add a default route for the inside subnet to route traffic through CSR A by setting the nexthop IP address as 192.168.1.4. This is done on the InsideRouteTable.$ az network route-table route create --address-prefix 8.8.8.8/32 --name default_route --
Add a route for traffic in the network to reach the internet on the OutsideRouteTable.$ az network route-table route create --address-prefix 8.8.8.8/32 --name internet --next-
hop-type Internet --resource-group CorporateDatacenterResourceGroup --route-table-name
Login to the Ubuntu VM and add a route to force traffic through the inside interface to8.8.8.8. Azure route table automatically uses the first IP in a subnet as its gateway. TheInside interface's (eth1) subnet is 192.168.1.0/24 which means that 192.168.1.1 is the defaultgw address for the host VM.$ ifconfig
Note: NAT must be configured on the CSR1000v routers in Step 10 in order to ping theinternet (8.8.8.8).Note: Steps 10-14 covers the configuration of the CSR1000v routers forHA. Abbreviated steps from the Cisco CSR 1000v Deployment Guide for MicrosoftAzure are provided beginning from Configure a Trustpool. Visit the guide for completedetails.
Step 10. Configure the CSR1000v routers.
Configure a Trustpool on both CSR1000v routersRouter#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#crypto pki trustpool import url
http://www.cisco.com/security/pki/trs/ios.p7b
Reading file from http://www.cisco.com/security/pki/trs/ios.p7b
Configure an ipsec tunnel between Cisco CSR 1000v routers and enable Bi-directionalForwarding Detection (BFD) and a routing protocol (EIGRP or BGP) on the tunnel betweenthe routers for peer failure detection. Note: The tunnel destination address in theconfiguration is the Public IP address of the peer CSR.CSRA Configurationcrypto isakmp policy 1
set security-association lifetime kilobytes disable
set security-association lifetime seconds 86400
set transform-set uni-perf
set pfs group2
!
interface Tunnel1
ip address 192.168.101.2 255.255.255.252
bfd interval 500 min_rx 500 multiplier 3
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 40.124.43.82 /* Public IP of the peer CSR */
tunnel protection ipsec profile vti-1
!
router eigrp 1
bfd all-interfaces
network 192.168.101.0
The same configuration for NAT and Routing are used on both CSR1000v routers. This is forVM internet reachability through the inside interface.interface GigabitEthernet1
ip nat outside
!
interface GigabitEthernet2
ip nat inside
!
ip nat inside source list 10 interface GigabitEthernet1 overload
access-list 10 permit 192.168.1.0 0.0.0.255 /* Translating the inside subnet of the VM */
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip route 192.168.1.0 255.255.255.0 GigabitEthernet2 192.168.1.1
3.
Add Access Controls (IAM) for a Route Table. In AzureCLI, allow the application (CSRA andCSRB) to modify the InsideRouteTable in Azure during a failover. Note the id of theInsideRouteTable to be used as the --scopes option in the next section.$ az network route-table show --resource-group CorporateDatacenterResourceGroup --name
Create the IAM role for the InsideRouteTable. The --scopes option is taken from the id fieldfrom the previous output. Note the app-id, password (which is the app-key), and tenant id.$ az ad sp create-for-rbac -n "InsideRouteTableIAM" --role "network contributor" --scopes
Configure cloud redundancy on both routers. The only difference between the configurationon both routers are the bfd peers and default-gateway. CSRA Configurationredundancy
Run a ping and traceroute from the VM to the destination. Ensure the ping is throughthe inside eth1 interface.$ ping -I eth1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.6 eth1: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=54 time=10.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=54 time=10.6 ms
$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.4 (192.168.1.4) 1.516 ms 1.503 ms 1.479 ms
cisco@VmHost:~$ ping -I eth1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.6 eth1: 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=10.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=10.3 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=10.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=117 time=10.2 ms
2.
Traceroute shows that the path from the VM to 8.8.8.8 is through CSRA's inside interface.cisco@VmHost:~$ sudo traceroute -I 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.4 (192.168.1.4) 34.003 ms 34.000 ms 33.998 ms
3.
Shut down CSRA's tunnel 1 interface to simulate a failover.CSRA#config t
Enter configuration commands, one per line. End with CNTL/Z.
CSRA(config)#int tunnel1
CSRA(config-if)#sh
4.
Observe that traffic now flows through CSRB's private interface.cisco@VmHost:~$ sudo traceroute -I 8.8.8.8
5.
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.5 (192.168.1.5) 1.294 ms 1.291 ms 1.290 ms
Note: Azure cloud may introduce a delay when failing over. Delay should be no longer than 1minute.
Troubleshoot
Enable debugs to observe messages during HA failover.●
CSRA#debug redundancy cloud all
CSRA#debug ip http all
Authentication and credential errors are due to invalid Access Controls which allows theCSR1000v to make API calls to the Azure route table. Double check that the proper id's areconfigured in step 10.
●
*Jul 13 23:29:53.365: CLOUD-HA : res content iov_len=449